Tank overfill protection, a part of an Emergency Shutdown system

Tank overfill protection has been around for more than a decade, but it’s only post-Buncefield that its importance has been fully appreciated. After Buncefield, “No more excuses”, says Ian Parry, Functional Safety Specialist at HIMA-Sella, and he discusses the development of a stand-alone, high-availability safety system.

Whilst it is about five years since the explosion at Buncefield fuel storage depot physically shook Hemel Hempstead, and metaphorically shook the petrochemical industry, the incident was back in the media in the summer following the fining of those companies considered responsible.

The penalties imposed against some are considered to be amongst the highest to date in relation to safety offences in the UK. Even so, there was considerable public outcry that the fines were too lenient, which created a second wave of ‘bad PR’ against the companies (and individuals) that were named and shamed.

The explosion, which is regarded as one of the largest in peacetime Europe, occurred in the early hours of Sunday 11 December 2005, when a storage tank overflowed. Fuel cascading down from vents at the top of the tank mixed with air to form a petroleum-vapour cloud which subsequently ignited.

As for how the overflow occurred, two significant factors are believed to be that: (a) a servo-level gauge had stuck, indicating that the tank was only at 85% capacity and therefore allowed for the addition of further fuel, and (b) an independent high-level alarm failed to operate and shut down the feed to the tank.

The reasons for the failure of the gauge (which had apparently failed before) and the high-level alarm (which it is reported can be placed into an inoperable position after testing, and on which a safety alert had been issued by the HSE) are still unclear. Suffice it to say that the explosion led to an investigation, conducted by the Buncefield Major Incident Investigation Board (MIIB).

As a direct result of the incident, and subsequent investigation, the UK Petroleum Industry Association (UKPIA) and Tank Storage Association (TSA) announced, in September 2008, that their members had committed to the standards of BS EN 61508 Safety Integrity Levels (SILs) and the installation of automatic shutdown systems to prevent the overfilling of storage tanks (that receive fuels via pipeline transfer).

In response to the above initiative many companies began developing, from scratch, ways of affording greater levels of safety for fuel storage tanks. Others though had been implementing overfill protection, as part of broader Emergency Shutdown (ESD) systems, long before the Buncefield incident. Hima-Sella, for example, first provided overfill protection as part of a safety upgrade at a tank farm in Grangemouth in the 1990s.

Hima-Sella has been actively involved in the design, supply and installation of a variety of control and safety systems to the oil and gas industry for more than 35 years. Its ESDs that have included overfill protection have been traditionally implemented using the company’s HIQuad or Planar F platforms (programmable electronic systems and solid state logic solvers respectively).

However, in the wake of the Buncefield incident – and with many petrochemical facilities wishing to add or enhance tank overfill protection without embarking on a site-wide upgrade – there was perceived within Hima-Sella the need for an easy means of ‘layering on’ tank overfill protection. Accordingly, and channelling almost two decades’ worth of relevant experience into the task, the company developed a tank overfill protection solution (TOPS) around its HIMatrix family of programmable logic controllers (PLCs).

Many oil and gas industry safety-related functions had already been, and continue to be, successfully implemented using HIMatrix; and these functions include Fire & Gas (F&G) Detection, Burner Management Systems (BMS), High Integrity Pressure Protection Systems (HIPPS) and ESD.

When used with suitable valves and transmitters, HIMatrix can be included in BS EN 61508 safety loops up to and including SIL 3. In addition, the platform is suitable for use in Zone 2 ATEX areas so, for TOPS, it can be sited close to the tanks it protects; thus simplifying cabling and reducing associated costs.

Also of great appeal to facilities seeking tank overfill protection was the fact that the HIMatrix hardware building blocks (the PLCs and I/O modules) plus suitable sensors can be configured to serve a range of safety requirements – from protecting a single tank through to a depot-wide network (using safe-Ethernet) if need be. But hardware is only part of the story. System behaviour is set in software – with the programs compiled using ‘certified functional blocks’.

Indeed, it is through a combined hardware and software architecture, plus ‘how’ functions like TOPS can be implemented, that made HIMatrix – which is IEC 61508 certified by the TÜV – such a suitable platform.

For example, consider what TOPS sets out to do. A basic control loop for filling a tank might use a level gauge as a trigger to shut off a pump; and to a large degree this is just “hard-wired logic”. The tank is either full or it isn’t. Clearly though, such black-or-white logic fails if the gauge sticks below its trigger level; as the tank will continue to fill. Such a system could not be built using BS EN 61508 certified equipment and engineering methodologies; in that – within the system development tools – the architecture would not compile (without errors anyway).

The safest approach is to be aware of changing levels; to go analogue if you wish. And an intelligent safety system would question why, when telling the pump to work, the level in the tank is not changing. Whether it is the pump or the level sensor at fault is almost irrelevant. Something is amiss, so stop.

Also of great appeal to those seeking to layer-on tank overfill protection is of course the speed with which it can be introduced to a site. In the latter case, it is worthy of note that one of the first sites in the UK to adopt Hima-Sella’s TOPS was (in the summer of 2008) the Mayflower fuel storage depot at Plymouth.

There, the initial requirement was to protect a single tank. This was achieved using a HIMatrix F20 PLC mounted in an enclosure on the side of the tank. It monitors a fuel level gauge and can trip an inlet valve if necessary; whilst transmitting data back to a DCS on the site. In addition, there is an ESD pushbutton. This is line-monitored to provide extra safety should a failure of the pushbutton or its associated wiring occur.

In 2009, additional tanks on the Mayflower and Cattedown sites were fitted with TOPS, bringing the total (between the sites) to around 20.

Most recently, in the summer of 2010 (and on the heels of the ‘Buncefield fines’), Hima-Sella has seen a dramatic rise in interest for its TOPS. Most enquiries were, understandably, from site operators/owners. Interestingly though some insurance companies have been enquiring too; as they are becoming increasingly interested in the feasibility of enforcing level-monitoring at smaller storage depots (particularly those which are unmanned when deliveries are made).

In addition, Hima-Sella has recently started working with a number of sensor manufacturers – including Vega, Krohne and Endress & Hauser – and has begun evaluating a variety of sensing technologies including radar and differential pressure and ultrasonic level measurement.

In conclusion, and repeating our opening gambit, ‘Buncefield’ is back in our minds following the fining of the companies held responsible. Also, the Health & Safety Executive and Environment Agency [together, responsible for regulating non-nuclear hazardous industrial sites in the UK under the Control of Major Accident Hazard Regulations (COMAH) 1999] are responsible for ensuring that lessons are learned. As a competent authority, and in the wake of the Buncefield fuel depot explosion, it will come down hard on companies that put workers and members of the public at risk, and which cause environmental damage.

In the event of another explosion as a result of a tank overfill, companies will have no excuses for not doing their utmost in terms of implementing reliable and fail-safe preventative measures and procedures.

Ian Parry, Hima-Sella, www.hima-sella.co.uk


One Response

  1. nice info.
    I would like to link into your blog cause will guide me more about anything in engineering and instrumentation. Also in automation and design.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: